DARTs flows are currently configured to flow a single firewall, Network Virtual Appliances (NVA). This limitation is currently known by the business and while some other solutions are being investigated long term, there is the probability that we'll have to deploy in production using same solution for traffic flows.
Definitions on the production rules and policies are currently in progress in DTSPO-19016.
We now need to think about the possibility that there is a scenario where the pinned Palo Alto firewall goes offline and how we can quickly failover to the second Palo Alto firewall as the default mechanism i.e. Loadbalancing is not at play for DARTs at the moment if current implementation is adopted in production.
Intended Outcome
Opsrunbooks with steps to take to fail over for DARTs flows from one Palo Alto firewall to another
Proper documentation of what needs to be done, steps, PR's etc
Update Palo patching/upgrade documentation to include reference of this doc
Doc should have name or any relevant contacts if and when a failover needs to happen
For Production, check with <Karthik.Chinnareddyvari> the process for this, do we need to create one?
(DARTs, LibraGoB, SDP, Juror will be effected)
When documentation is complete, confirm with <Karthik.Chinnareddyvari> also that the teams effected etc are fine with this
DTSPO-21958
Summary
DARTs flows are currently configured to flow a single firewall, Network Virtual Appliances (NVA). This limitation is currently known by the business and while some other solutions are being investigated long term, there is the probability that we'll have to deploy in production using same solution for traffic flows.
Definitions on the production rules and policies are currently in progress in DTSPO-19016.
We now need to think about the possibility that there is a scenario where the pinned Palo Alto firewall goes offline and how we can quickly failover to the second Palo Alto firewall as the default mechanism i.e. Loadbalancing is not at play for DARTs at the moment if current implementation is adopted in production.
Intended Outcome
Opsrunbooks with steps to take to fail over for DARTs flows from one Palo Alto firewall to another
This PR will assist with all AKS environments: https://github.com/hmcts/aks-sds-deploy/pull/654/files <~Alex.Bance> to confirm PR is approved.
Impact on Teams
Restoration of service for DARTs team